All data controllers are required to comply with the eight data protection standards set out under the Act. These data protection standards are outlined below
Personal data must be processed fairly and lawfully and must not be obtained by deception or any misleading information. There must be a legitimate reason for processing the data. The data subject, must expressly consent to the processing of their data and such consent must be informed, freely given, specific, and unequivocal.
The data subject must be provided with all the relevant information regarding the processing of their personal data which would enable the data subject to make an informed decision. Note, however, that consent is not deemed to be 'freely given' if the data subject is required, as a condition for the provision of goods or services, to consent to the collection, use, or disclosure of their personal data beyond what is reasonable for the provision of those goods/services.
Personal data must only be obtained for a specific and lawful purpose and must not be processed in any manner incompatible with those purposes. Prior to collecting the personal data, companies would be required to specify the purpose for obtaining the data and would not be permitted to use the data for any other purpose without first informing, and where necessary, receiving the consent of the data subject. For example, where a company collects the personal data of its customers such as a telephone number or email address to provide a specific service, the company is prohibited from disclosing and/or selling the data to a third party for direct marketing purposes without first obtaining the customer's consent.
The Act defines 'direct marketing' as 'approaching a data subject in person or by any means of communication (electronic or otherwise) for the direct or indirect purpose of promoting or offering to supply any goods or services'. Additionally, personal data must not be obtained for any illegal or immoral purpose.
Personal data must be adequate, relevant, and must only be limited to the purpose for which it is being processed. The data collected by companies must be relevant to the specified purpose it was collected for and must not be more than what is reasonably required. The processing of too much data may amount to an invasion of privacy.
Personal data must be accurate and, where necessary, kept up to date. A company would not be in breach of this standard if the inaccurate data was provided by the data subject or a third party. However, companies that process personal data would be required to take reasonable steps to verify the accuracy of the data.
Personal data must not be kept for longer than is necessary and must be disposed of in accordance with any regulations (once passed) under the Act. This is, however, subject to any applicable retention periods prescribed by law. The Act does not speak to what would be considered an appropriate retention period for personal data. However, companies would be required to inform the data subject of the expected period of retention of their personal data, and this must be clearly set out in a privacy notice.
Personal data must be processed in accordance with the rights of the data subject. Some of these rights include the right to access the data and the right to prevent processing of the data in certain specified circumstances.
Personal data must be protected using appropriate technical and organizational measures so as to prevent unauthorized or unlawful processing of the data as well as any accidental loss or destruction of, or damage to, the data. Some of these technical and organizational measures would include:
- conducting security audits;
- implementing data protection policies and privacy notices;
- proper training of employees on the handling, storage, and disclosure of personal data;
- pseudonymisation and encryption of the data;
- limiting employees' access to the data;
- ensuring that any data-processing software and antivirus software used by the company are effectively maintained and up-to-date;
- selecting data processors who sufficiently guarantee that they have adequate security measures in place and will report security breaches; and
- the ability to restore the availability of and access to, personal data in a timely manner in the event of a physical or technical incident.
Personal data shall not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data. In determining what is considered an 'adequate level of protection', the Commissioner would consider, among other things:
- the nature of the data;
- the State or territory of final destination;
- the laws of the State or Territory;
- the international obligations of the State or Territory; and
- the security measures taken by the State or territory.
- The Act, however, imposes certain limitations on this standard such as where the data subject has consented to the transfer or where the transfer is necessary for reasons of a substantial public interest or for the performance of a contract.
Not every person who processes personal data is required to appoint a DPO. However, the Data Protection Act (DPA) underscores the importance of organizations appointing a DPO. Having a DPO can greatly assist in ensuring compliance with the DPA.
Here are some of the key functions of a DPO
- Advice: DPOs guide policy development and its implementation, promote staff awareness of data protection, and consult with the Information Commissioner on interpreting and applying DPA provisions.
- Data Protection Impact Assessments (DPIAs): DPOs lead the process of conducting DPIAs for high-risk data processing, assessing privacy impact and suggesting risk mitigation.
- Monitoring: DPOs regularly monitor the organization's data processing activities to assess their compliance with data protection standards and recommend measures for remedying any non-compliance.
- Data Breach Management: DPOs investigate and manage data breaches, notify affected individuals, report to the Information Commissioner, minimize impact, and recommend preventive measures.
Here are some important considerations when selecting a DPO
- Familiarity and Access: Deep knowledge of the organization, its processes, and sector, with unrestricted access to observe data processing activities in all areas.
- Legal Knowledge and/or Specialized Privacy Training: A deep understanding of data protection laws, regulations, and good practices to ensure compliance across all organizational levels.
- Audit or Compliance Experience: Skill in identifying data processing risks and analyzing adherence to legal requirements and established protection procedures.
- Technical Skills and Independence: Understanding of IT and data security and freedom to report to the Commissioner any violations of the data protection standards.
- Excellent Communication Skills: Capability to foster data privacy culture among employees and collaborate with stakeholders for a holistic data protection approach organization-wide.
The Data Protection Act (DPA) of Jamaica stands as a critical framework ensuring the responsible handling and protection of personal information. . As stewards of personal data, Data Controllers play a pivotal role in safeguarding the privacy rights of individuals, ensuring compliance with legal standards, and fostering a culture of trust and transparency in the digital landscape of Jamaica.
Data controllers who process personal data must register with the Information Commissioner as processing personal data without being registered is an offence.
The Data Protection Act requires a data controller to have a Data Protection Officer if it is a Public authority; mandated by a Commissioner's notice; or processes sensitive personal data, personal data relating to convictions, or personal data on a large scale.
A data controller must submit a Data Protection Impact Assessment covering all personal data in their control to the Commissioner within the first 90 days of each calendar year.
Data controllers must comply with the 8 standards for processing personal data prescribed by the Act. These relate to fairness and lawfulness, purpose limitation, data minimization, accuracy, technical and organizational measures, adequacy requirements, storage limitation, and respect for data subject rights in the processing of personal data.
The Data Protection Act mandates data controllers to report breaches or contraventions of the Act to the Commissioner within 72 hours of becoming aware and also to alert affected data subjects.
There are several factors data controllers should consider to determine whether they qualify as large-scale processors and need to appoint a DPO.
The volume (in terms of actual quantity) and/or variety (the range or number of different types) of personal data being processed. Example: Insurance companies processing both health and financial information.
The number of employees processing the personal data and/or the number of locations at which the data is processed. Example: BPOs and financial institutions with hundreds of employees in branches islandwide.
The geographical extent of processing i.e. whether local only or also regional or international. Example: Airline companies and travel agencies processing personal data of travelers in various countries.
Whether the filing system is singular or complex and/or the duration or permanence of the processing including how long data is retained. Example: Financial institutions storing customer data for several years to meet regulatory requirements and provide ongoing financial services.